HTTP Strict Transport Security IIS Modulehttp://hstsiis.codeplex.com/project/feeds/rssA module for IIS which enables HTTP Strict Transport Security compliant with the HSTS Draft Specification &#40;RFC 6797&#41;.Commented Unassigned: Not able to install HSTS using HSTS_IIS_Module_2.2.0.msi [5213]http://hstsiis.codeplex.com/workitem/5213As per Installation.md &#40;which I found in ZIP file downloaded from https&#58;&#47;&#47;github.com&#47;FWest98&#47;hsts-iis-module&#41;, I downloaded the installer at -<br />&#40;https&#58;&#47;&#47;github.com&#47;FWest98&#47;hsts-iis-module&#47;releases --&#62; HSTS_IIS_Module_2.2.0.msi&#41; and installed it.<br />After the installation, I didn&#39;t find &#39;HTTP Strict Transport Security&#39; icon in my IIS &#40;Version 7.5.7600.16385&#41;.<br />So I checked for steps in &#39;Manual installation&#39;. I found everything at its place for sections &#39;Module&#39; and &#39;IIS 7.x&#39;. It means installation of the Module has completed successfully.<br />__BUT I AM STUCK AT &#39;IIS Manager Plugin&#39; SECTION. There is no &#39;HSTS-IIS-Module.manager.dll&#39; anywhere, so installation is not able to proceed.__ Can you please help me regarding this&#63;<br />Comments: ** Comment from web user: Sagar_D ** <p>Can anyone help me with this? I want to make this working.</p>Sagar_DTue, 08 Nov 2016 09:08:08 GMTCommented Unassigned: Not able to install HSTS using HSTS_IIS_Module_2.2.0.msi [5213] 20161108090808ACreated Unassigned: Not able to install HSTS using HSTS_IIS_Module_2.2.0.msi [5213]http://hstsiis.codeplex.com/workitem/5213As per Installation.md &#40;which I found in ZIP file downloaded from https&#58;&#47;&#47;github.com&#47;FWest98&#47;hsts-iis-module&#41;, I downloaded the installer at - <br /><br />&#40;https&#58;&#47;&#47;github.com&#47;FWest98&#47;hsts-iis-module&#47;releases --&#62; HSTS_IIS_Module_2.2.0.msi&#41; and installed it.<br />After the installation, I didn&#39;t find &#39;HTTP Strict Transport Security&#39; icon in my IIS &#40;Version 7.5.7600.16385&#41;.<br />So I checked for steps in &#39;Manual installation&#39;. I found everything at its place for sections &#39;Module&#39; and &#39;IIS 7.x&#39;. It means installation of the Module has completed successfully.<br />__BUT I AM STUCK AT &#39;IIS Manager Plugin&#39; SECTION. There is no &#39;HSTS-IIS-Module.manager.dll&#39; anywhere, so installation is not able to proceed.__ Can you please help me <br /><br />regarding this&#63;<br />Sagar_DThu, 27 Oct 2016 09:16:36 GMTCreated Unassigned: Not able to install HSTS using HSTS_IIS_Module_2.2.0.msi [5213] 20161027091636ANew Post: Windows Server 6.2 (Build 9200) - IIS 8.5.9600.16384https://hstsiis.codeplex.com/discussions/658959<div style="line-height: normal;">Hello,
<br />
I built and installed the HSTS module and it doesn't appear to work correctly in my server/environment and I hope you can give me some info on what I should change.
<br />
<br />
I have an IIS server with version mentioned above. I don't have anything immediately on the inetpub\wwwroot, the web applications are placed in subfolders and each has it's own web.config. After installing the HSTS module and enabling it, a new web.config file is created in inetput\wwwroot with the hsts info. At this point, iis is no longer accessible. I get an error on all the applications. Disabling the HSTS on the control panel doesn't work. Eventually, the only way to get the applications to run is to uninstall the HSTS module, remove any web.config file and restart the server.
<br />
<br />
Any ideas on how I can apply this module on my configuration?
<br />
<br />
Thanks
<br />
Francisco<br />
</div>C09405Tue, 25 Oct 2016 15:44:11 GMTNew Post: Windows Server 6.2 (Build 9200) - IIS 8.5.9600.16384 20161025034411PUpdated Wiki: Homehttps://hstsiis.codeplex.com/wikipage?version=12<div class="wikidoc"><b>Project Description</b><br />A module for IIS which enables HTTP Strict Transport Security compliant with the HSTS Draft Specification &#40;RFC 6797&#41;.<br /><br /><b>Version 2.0</b><br />Version 2.0 of the module has been released. It is completely rewritten as a native module. It can now be configured to do a redirect for insecure connections.<br /><br /><b>Justification</b><br />Whilst it is simple to add a custom header to an IIS site, there is no simple way to add the HSTS header in a way that is compliant with the draft specification (<a href="http://tools.ietf.org/html/rfc6797">RFC 6797</a>). Specifically from <a href="http://tools.ietf.org/html/rfc6797#section-7.2">section 7.2</a>:<br /><br /><i>An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.</i><br /><br />An additional driver for such a module is the seriousness of attack vectors such as <a href="http://www.thoughtcrime.org/software/sslstrip/">sslstrip</a>. It is hoped that simplicity of installation and configuration will avoid any excuse for not implementing the most effective defence against such attacks. <br /><br /><b>Source Code</b><br /><a href="https://github.com/AllTheDucks/hsts-iis-module">The source code has been moved to GitHub as of version 2.0</a>.<br /><br /><b>Further Reading</b>
<ul><li><a href="http://tools.ietf.org/html/rfc6797">HTTP Strict Transport Security Draft Specification</a></li>
<li><a href="http://youtu.be/zEV3HOuM_Vw">OWASP Appsec Tutorial Series - Episode 4: Strict Transport Security</a></li>
<li><a href="https://www.owasp.org/index.php/HTTP_Strict_Transport_Security">OWASP wiki HSTS page</a></li></ul>
<br /><b>Thanks</b><br />Thanks to Phill from <a href="http://www.dionach.com/">Dionach</a> for the fantastic <a href="https://github.com/Dionach/StripHeaders/">Strip Headers</a> IIS extension which is, aside from a great extension, one of the best references for developing a native IIS module.<br /><br />Thanks also to everyone that has taken the time to reported issues and suggest improvements.</div><div class="ClearBoth"></div>FWest98Mon, 29 Aug 2016 21:16:30 GMTUpdated Wiki: Home 20160829091630PUpdated Wiki: Homehttps://hstsiis.codeplex.com/wikipage?version=11<div class="wikidoc"><h1>NOTICE</h1>
<i>Due to lack of time, this project is no longer maintained. If you are interested in taking over ownership of the project, please contact me.</i><br /><br /><br /><br /><b>Project Description</b><br />A module for IIS which enables HTTP Strict Transport Security compliant with the HSTS Draft Specification &#40;RFC 6797&#41;.<br /><br /><b>Version 2.0</b><br />Version 2.0 of the module has been released. It is completely rewritten as a native module. It can now be configured to do a redirect for insecure connections.<br /><br /><b>Justification</b><br />Whilst it is simple to add a custom header to an IIS site, there is no simple way to add the HSTS header in a way that is compliant with the draft specification (<a href="http://tools.ietf.org/html/rfc6797">RFC 6797</a>). Specifically from <a href="http://tools.ietf.org/html/rfc6797#section-7.2">section 7.2</a>:<br /><br /><i>An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.</i><br /><br />An additional driver for such a module is the seriousness of attack vectors such as <a href="http://www.thoughtcrime.org/software/sslstrip/">sslstrip</a>. It is hoped that simplicity of installation and configuration will avoid any excuse for not implementing the most effective defence against such attacks. <br /><br /><b>Source Code</b><br /><a href="https://github.com/AllTheDucks/hsts-iis-module">The source code has been moved to GitHub as of version 2.0</a>.<br /><br /><b>Further Reading</b>
<ul><li><a href="http://tools.ietf.org/html/rfc6797">HTTP Strict Transport Security Draft Specification</a></li>
<li><a href="http://youtu.be/zEV3HOuM_Vw">OWASP Appsec Tutorial Series - Episode 4: Strict Transport Security</a></li>
<li><a href="https://www.owasp.org/index.php/HTTP_Strict_Transport_Security">OWASP wiki HSTS page</a></li></ul>
<br /><b>Thanks</b><br />Thanks to Phill from <a href="http://www.dionach.com/">Dionach</a> for the fantastic <a href="https://github.com/Dionach/StripHeaders/">Strip Headers</a> IIS extension which is, aside from a great extension, one of the best references for developing a native IIS module.<br /><br />Thanks also to everyone that has taken the time to reported issues and suggest improvements.</div><div class="ClearBoth"></div>shane_argoThu, 28 Jan 2016 04:42:17 GMTUpdated Wiki: Home 20160128044217AUpdated Wiki: Homehttps://hstsiis.codeplex.com/wikipage?version=10<div class="wikidoc"><b>NOTICE</b><br />Due to lack of time, this project is no longer maintained. If you are interested in taking over ownership of the project, please contact me.<br /><br /><br /><b>Project Description</b><br />A module for IIS which enables HTTP Strict Transport Security compliant with the HSTS Draft Specification &#40;RFC 6797&#41;.<br /><br /><b>Version 2.0</b><br />Version 2.0 of the module has been released. It is completely rewritten as a native module. It can now be configured to do a redirect for insecure connections.<br /><br /><b>Justification</b><br />Whilst it is simple to add a custom header to an IIS site, there is no simple way to add the HSTS header in a way that is compliant with the draft specification (<a href="http://tools.ietf.org/html/rfc6797">RFC 6797</a>). Specifically from <a href="http://tools.ietf.org/html/rfc6797#section-7.2">section 7.2</a>:<br /><br /><i>An HSTS Host MUST NOT include the STS header field in HTTP responses conveyed over non-secure transport.</i><br /><br />An additional driver for such a module is the seriousness of attack vectors such as <a href="http://www.thoughtcrime.org/software/sslstrip/">sslstrip</a>. It is hoped that simplicity of installation and configuration will avoid any excuse for not implementing the most effective defence against such attacks. <br /><br /><b>Source Code</b><br /><a href="https://github.com/AllTheDucks/hsts-iis-module">The source code has been moved to GitHub as of version 2.0</a>.<br /><br /><b>Further Reading</b>
<ul><li><a href="http://tools.ietf.org/html/rfc6797">HTTP Strict Transport Security Draft Specification</a></li>
<li><a href="http://youtu.be/zEV3HOuM_Vw">OWASP Appsec Tutorial Series - Episode 4: Strict Transport Security</a></li>
<li><a href="https://www.owasp.org/index.php/HTTP_Strict_Transport_Security">OWASP wiki HSTS page</a></li></ul>
<br /><b>Thanks</b><br />Thanks to Phill from <a href="http://www.dionach.com/">Dionach</a> for the fantastic <a href="https://github.com/Dionach/StripHeaders/">Strip Headers</a> IIS extension which is, aside from a great extension, one of the best references for developing a native IIS module.<br /><br />Thanks also to everyone that has taken the time to reported issues and suggest improvements.</div><div class="ClearBoth"></div>shane_argoThu, 28 Jan 2016 04:39:22 GMTUpdated Wiki: Home 20160128043922AReviewed: HSTS-IIS-Module v2.0.0.0 (Apr 29, 2015)https://hstsiis.codeplex.com/releases/view/135265#ReviewBy-23234234234234Rated 1 Stars &#40;out of 5&#41; - Installing it on 2012 R2 server is a nightmare. Even the workarounds described by some users dont work.23234234234234Wed, 29 Apr 2015 13:24:35 GMTReviewed: HSTS-IIS-Module v2.0.0.0 (Apr 29, 2015) 20150429012435PCommented Unassigned: Failed to find node [1774]http://hstsiis.codeplex.com/workitem/1774Hi,<br /><br />I just tried to install v2.0 on Windows 2012 Server &#40;german&#41; and I receive this error&#58;<br /><br />Failed to find node&#58;<br />&#47;configuration&#47;system.webServer&#47;modules in XML file&#58;<br />C&#58;&#92;Windows&#92;system32&#92;intesrv&#92;config&#92;applicationHost.config, system error&#58; -2147020584<br /><br />Any idea what that could be&#63; It happens at around 40&#37;.<br /><br />Thanks and kind Regards<br />Andreas<br />Comments: ** Comment from web user: hgs7 ** <p>I was doing it in under system.webServer. I got this working though using url-rewrite in IIS so i dont need this module. Thanks though</p>hgs7Fri, 17 Apr 2015 20:04:21 GMTCommented Unassigned: Failed to find node [1774] 20150417080421PCommented Unassigned: Failed to find node [1774]http://hstsiis.codeplex.com/workitem/1774Hi,<br /><br />I just tried to install v2.0 on Windows 2012 Server &#40;german&#41; and I receive this error&#58;<br /><br />Failed to find node&#58;<br />&#47;configuration&#47;system.webServer&#47;modules in XML file&#58;<br />C&#58;&#92;Windows&#92;system32&#92;intesrv&#92;config&#92;applicationHost.config, system error&#58; -2147020584<br /><br />Any idea what that could be&#63; It happens at around 40&#37;.<br /><br />Thanks and kind Regards<br />Andreas<br />Comments: ** Comment from web user: wobbypetty ** <p>I am assuming you are seeing the modules section under /configuration/location path=&quot;&quot; overrideMode=&quot;Allow&quot;/system.webServer. I had to add it under /configuration/system.webServer/. The easiest way to see the hierarchy for me was to open it as an xml document in Internet Explorer. </p>wobbypettyFri, 17 Apr 2015 19:43:27 GMTCommented Unassigned: Failed to find node [1774] 20150417074327PCommented Unassigned: Failed to find node [1774]http://hstsiis.codeplex.com/workitem/1774Hi,<br /><br />I just tried to install v2.0 on Windows 2012 Server &#40;german&#41; and I receive this error&#58;<br /><br />Failed to find node&#58;<br />&#47;configuration&#47;system.webServer&#47;modules in XML file&#58;<br />C&#58;&#92;Windows&#92;system32&#92;intesrv&#92;config&#92;applicationHost.config, system error&#58; -2147020584<br /><br />Any idea what that could be&#63; It happens at around 40&#37;.<br /><br />Thanks and kind Regards<br />Andreas<br />Comments: ** Comment from web user: hgs7 ** <p>I am having this issue as well. The suggestion about adding the modules key did not work for me. Why is this needed if there is already a modules line after isapiFilters?</p>hgs7Fri, 17 Apr 2015 17:24:22 GMTCommented Unassigned: Failed to find node [1774] 20150417052422PCommented Unassigned: V2 not working [1766]http://hstsiis.codeplex.com/workitem/1766Hi,<br /><br />I installed it on 2008R2. Once it&#39;s installed my sites stop working. If I uninstall the module, my sites are okay. Is there a log I can check to review what&#39;s wrong&#63;<br />Comments: ** Comment from web user: Hans_S ** <p>Hi</p><p>I had exactly the same issue. After I just installed the module, all websites with &quot;Enable 32-Bit Applications=True&quot; in the application pool stopped working. The application pools crashed each time they where started. Also the module cannot be installed on a 32-bit Windows server. The websites did work as soon as &quot;Enable 32-Bit Applications&quot; is set to False (except for the parts that need 32 bits modules).</p><p>In the Browser I got &quot;HTTP Error 503. The service is unavailable.&quot; <br>In the event log the following messages:<br>- The Module DLL C:\Windows\System32\inetsrv\HstsIisModule.dll failed to load. The data is the error.<br>- Application pool 'wiki.blabla.com' is being automatically disabled due to a series of failures in the process(es) serving that application pool.<br>- A listener channel for protocol 'http' in worker process '7084' serving application pool 'wiki.blabla.com' reported a listener channel failure. The data field contains the error number.</p><p>I hope this can be fixed. Thanks.<br></p>Hans_SWed, 01 Apr 2015 16:29:27 GMTCommented Unassigned: V2 not working [1766] 20150401042927PCommented Unassigned: Failed to find node [1774]http://hstsiis.codeplex.com/workitem/1774Hi,<br /><br />I just tried to install v2.0 on Windows 2012 Server &#40;german&#41; and I receive this error&#58;<br /><br />Failed to find node&#58;<br />&#47;configuration&#47;system.webServer&#47;modules in XML file&#58;<br />C&#58;&#92;Windows&#92;system32&#92;intesrv&#92;config&#92;applicationHost.config, system error&#58; -2147020584<br /><br />Any idea what that could be&#63; It happens at around 40&#37;.<br /><br />Thanks and kind Regards<br />Andreas<br />Comments: ** Comment from web user: wobbypetty ** <p>It is looking for the /configuration/system.webServer/modules node and not finding it when I believe it should be looking for /configuration/location path=&quot;&quot; overrideMode=&quot;Allow&quot;/system.webServer. </p><p>Open C:\Windows\system32\intesrv\config\applicationHost.config. I added &lt;modules&gt;&lt;/modules&gt; after the isapiFilters node in /configuration/system.webServer/ and the installer succeeded. After that you may receive an error in IIS that says Error: Config section 'system.webServer/modules' already defined. I went back and removed what we had just added &lt;modules&gt;&lt;add name=&quot;HstsIisModule&quot;/&gt;&lt;/modules&gt;. At the bottom of the config file under /configuration/location path=&quot;&quot; overrideMode=&quot;Allow&quot;/system.webServer I added back in &lt;add name=&quot;HstsIisModule&quot;/&gt;. Saved the config file and everything works. </p>wobbypettyFri, 06 Mar 2015 20:46:07 GMTCommented Unassigned: Failed to find node [1774] 20150306084607PCommented Unassigned: Failed to find node [1774]http://hstsiis.codeplex.com/workitem/1774Hi,<br /><br />I just tried to install v2.0 on Windows 2012 Server &#40;german&#41; and I receive this error&#58;<br /><br />Failed to find node&#58;<br />&#47;configuration&#47;system.webServer&#47;modules in XML file&#58;<br />C&#58;&#92;Windows&#92;system32&#92;intesrv&#92;config&#92;applicationHost.config, system error&#58; -2147020584<br /><br />Any idea what that could be&#63; It happens at around 40&#37;.<br /><br />Thanks and kind Regards<br />Andreas<br />Comments: ** Comment from web user: poseidonCore ** <p>Same here: Server 2012 &amp; IIS 8</p>poseidonCoreWed, 11 Feb 2015 14:44:00 GMTCommented Unassigned: Failed to find node [1774] 20150211024400PCommented Unassigned: Failed to find node [1774]http://hstsiis.codeplex.com/workitem/1774Hi,<br /><br />I just tried to install v2.0 on Windows 2012 Server &#40;german&#41; and I receive this error&#58;<br /><br />Failed to find node&#58;<br />&#47;configuration&#47;system.webServer&#47;modules in XML file&#58;<br />C&#58;&#92;Windows&#92;system32&#92;intesrv&#92;config&#92;applicationHost.config, system error&#58; -2147020584<br /><br />Any idea what that could be&#63; It happens at around 40&#37;.<br /><br />Thanks and kind Regards<br />Andreas<br />Comments: ** Comment from web user: IanAppleby ** <p>Same here clean install of Server 2012 R2 / IIS 8.5</p>IanApplebySat, 03 Jan 2015 23:55:40 GMTCommented Unassigned: Failed to find node [1774] 20150103115540PCommented Unassigned: Failed to find node [1774]http://hstsiis.codeplex.com/workitem/1774Hi,<br /><br />I just tried to install v2.0 on Windows 2012 Server &#40;german&#41; and I receive this error&#58;<br /><br />Failed to find node&#58;<br />&#47;configuration&#47;system.webServer&#47;modules in XML file&#58;<br />C&#58;&#92;Windows&#92;system32&#92;intesrv&#92;config&#92;applicationHost.config, system error&#58; -2147020584<br /><br />Any idea what that could be&#63; It happens at around 40&#37;.<br /><br />Thanks and kind Regards<br />Andreas<br />Comments: ** Comment from web user: merarischroeder ** <p>Also happening for me.</p><p>Windows Server 2012 R2<br>IIS8<br>English</p>merarischroederFri, 12 Dec 2014 02:48:22 GMTCommented Unassigned: Failed to find node [1774] 20141212024822ACommented Unassigned: Failed to find node [1774]http://hstsiis.codeplex.com/workitem/1774Hi,<br /><br />I just tried to install v2.0 on Windows 2012 Server &#40;german&#41; and I receive this error&#58;<br /><br />Failed to find node&#58;<br />&#47;configuration&#47;system.webServer&#47;modules in XML file&#58;<br />C&#58;&#92;Windows&#92;system32&#92;intesrv&#92;config&#92;applicationHost.config, system error&#58; -2147020584<br /><br />Any idea what that could be&#63; It happens at around 40&#37;.<br /><br />Thanks and kind Regards<br />Andreas<br />Comments: ** Comment from web user: LukasBeran ** <p>I have the same problem. Please resolve it.</p>LukasBeranTue, 25 Nov 2014 14:46:46 GMTCommented Unassigned: Failed to find node [1774] 20141125024646PCreated Unassigned: Failed to find node [1774]http://hstsiis.codeplex.com/workitem/1774Hi,<br /><br />I just tried to install v2.0 on Windows 2012 Server &#40;german&#41; and I receive this error&#58;<br /><br />Failed to find node&#58;<br />&#47;configuration&#47;system.webServer&#47;modules in XML file&#58;<br />C&#58;&#92;Windows&#92;system32&#92;intesrv&#92;config&#92;applicationHost.config, system error&#58; -2147020584<br /><br />Any idea what that could be&#63; It happens at around 40&#37;.<br /><br />Thanks and kind Regards<br />Andreas<br />sunlabWed, 12 Nov 2014 16:19:26 GMTCreated Unassigned: Failed to find node [1774] 20141112041926PCreated Unassigned: Issues With Exchange 2010 EMC After Installing & Enabling HSTS [1772]http://hstsiis.codeplex.com/workitem/1772I&#39;ve install the HSTS module on my Webserver which runs IIS 7.5 and enabled it without an issue. All is running well. However after installing and enabling the HSTS Module on two separate Exchange 2010 servers which &#40;both&#41; run Windows Server 2008R2 &#40;IIS 7.5&#41;. The Exchange 2010 Exchange Management Console &#40;EMC&#41; will fail to open on both with the following error.<br /><br />&#34;__Initialization Failed__<br /><br />The following error occured while configuring the Help links&#58;<br /><br />Connecting to the remote server failed wit the following message&#58; The WinRM client received an HTTP server error status &#40;500&#41; but the remote server did not include any other information about the cause of the failure.&#34;<br /><br />If I disable HSTS on both then IISRESET the EMC opens without issue.<br /><br />Any ideas&#63; Any assistance would be appreciated.<br /><br />Thanks,<br /><br />HeskaIT<br />HeskaITMon, 03 Nov 2014 23:48:38 GMTCreated Unassigned: Issues With Exchange 2010 EMC After Installing & Enabling HSTS [1772] 20141103114838PCommented Unassigned: V2 not working [1766]http://hstsiis.codeplex.com/workitem/1766Hi,<br /><br />I installed it on 2008R2. Once it&#39;s installed my sites stop working. If I uninstall the module, my sites are okay. Is there a log I can check to review what&#39;s wrong&#63;<br />Comments: ** Comment from web user: shane_argo ** <p>Hi denver125,</p><p>Thanks for taking the time to report the issue. </p><p>IIS logs to Windows Event Viewer. This is where you'll be able to locate errors and warnings related to the loading of the module. Please have a look around in there and tell me if you see anything interesting.</p><p>I have a feeling that I know what the issue is. Can you please tell me if you are using a 32-bit or 64-bit application pool? Can you please provide a screenshot of the &quot;Advanced Settings&quot; of your application pool?</p><p>I have had an issue with 32-bit application pools reported, and I will be looking to fix this issue as soon as possible.</p><p>Thanks again,<br>Shane.<br></p>shane_argoMon, 20 Oct 2014 03:02:08 GMTCommented Unassigned: V2 not working [1766] 20141020030208ACreated Unassigned: V2 not working [1766]http://hstsiis.codeplex.com/workitem/1766Hi,<br /><br />I installed it on 2008R2. Once it&#39;s installed my sites stop working. If I uninstall the module, my sites are okay. Is there a log I can check to review what&#39;s wrong&#63;<br />denver125Sat, 18 Oct 2014 17:27:22 GMTCreated Unassigned: V2 not working [1766] 20141018052722P